Skip to content

Naked Security

Computer Security News, Advice and Research
  • sophos.com
  • Free Tools
  • Intercept X
Award-winning computer security news
  • Twitter
  • Facebook
  • Google+
  • LinkedIn
  • Feed

Hacker empties high roller’s online Poker account of $115K

21 Sep 2012 8 Malware
Hacker empties high roller's online Poker account of $115K

Post navigation

Previous: Microsoft releases fix for Internet Explorer security hole, full patch coming Friday
Next: Emergency security patch issued by Microsoft to squash Internet Explorer zero day exploit
by Paul Roberts
  • 0Share on Facebook
  • Share on Twitter
  • Share on Google+
  • Share on LinkedIn
  • Share on Reddit

Poker. Image from ShutterstockA high stakes online poker player says that an unknown hacker used a malicious image file to compromise his account and empty of it of more than $100,000 in winnings – the latest in what players say is a string of scams.

The player, who uses the handle _MicahJ_, claims that he was lured into a trap by a fellow member of a twoplustwo forums to an online poker game to size up his online holdings.

That user then sent an email containing a malicious image file that installed a keylogging Trojan on his system. The attacker then emptied the account of over $115,000 in poker winnings over three days.

“I knew I shouldn’t have opened it but didn’t think until after the matter. I contacted others on suspected scamming but couldn’t get anything done until it was too late,” he wrote.

According to the user, who did not immediately respond to requests for comment, the hacker – using the handle highgrind22 – gained access to an account at the website Lock Poker for three days. During that time he made small transfers out of the account to an account linked to a yahoo.com email address. The attacker also played in high stakes games, losing around $80,000 to another player.

The post, on Saturday, elicited hundreds of responses from twoplustwo users, most online poker players themselves. The ensuing conversation has become something of an online ‘whodunnit,’ with players attempting to uncover the identity of the attacker, and others stepping forward to clear their name from the scandal.

The list of suspects includes a twoplustwo forum member who uses the handle WHITNEYDOH, and who made tens of thousands of dollars in online winnings playing against what _MicahJ_ claims was a hacked account. After briefly having his account suspended by Lock Poker, however, that user was reinstated and claims innocence.

It is not known for sure if _MicahJ_ was the victim of a malicious software attack and, if he was, what kind of malware was used.

In posts to twoplustwo he claims to be a Mac user, which means that any malware used would have to work on that platform. Also unclear is whether Lock Poker provides any insurance for online holdings, or any monitoring to prevent sudden and unexplained account-to-account transfers.

LockPoker declined to comment. “We cannot disclose any findings of any investigation for privacy and security concerns,” the company said in an email to Naked Security. “Rest assured, we put a significant amount of time, resources and technology in minimizing the chances of fraud occurring.”

Online poker forums are a popular target for hackers, given the large sums of money that change against online gaming. In fact, twoplustwo was a victim of a hack in April that reportedly compromised the accounts of forum members.

In March, 2011, a 29 year-old man received two years in prison for hacking into a computer server, stealing and then laundering 400 billion virtual poker chips from the online gaming firm Zynga worth an estimated $12 million.

Past attacks, however, have focused on online poker platforms as much as players.

In 1999, researchers (including Adobe’s security boss Brad Arkin) famously identified an off-by-one error in a shuffling algorithm used by the Web site PlanetPoker.

That allowed the researchers to predict the outcome of supposedly “random” virtual deck shuffles used on the site.

Follow @paulfroberts
Follow @NakedSecurity

Poker player image from Shutterstock.

  • 2+2
  • account hijack
  • account takeover
  • Gaming
  • hacking
  • Lock Poker
  • mac
  • Malware
  • No Limit Hold 'Em
  • Poker
  • poker chip

Free tools

Sophos Home

Sophos Home
for Windows and Mac

XG Firewall Home Edition

XG Firewall
Home Edition

Mobile Security for Android

Mobile Security
for Android

Virus Removal Tool

Virus Removal Tool

Antivirus for Linux

Antivirus
for Linux

Post navigation

Previous: Microsoft releases fix for Internet Explorer security hole, full patch coming Friday
Next: Emergency security patch issued by Microsoft to squash Internet Explorer zero day exploit

About the author

Paul Roberts

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.

8 comments on “Hacker empties high roller’s online Poker account of $115K”

  1. Some guy says:
    September 21, 2012 at 12:28 pm

    According to Micah on 2+2, it was a file with .exe ending (bankstatement.jpg.exe) which he openened in his Windows emulator.

    Reply
    • Graham Cluley says:
      September 21, 2012 at 12:32 pm

      That sounds most likely.

      We have seen malware attacks spread via boobytapped image files before (exploiting vulnerabilities), but it's more common for malware to be spread using the old double-extension trick.

      Reply
      • njorl says:
        September 24, 2012 at 5:34 pm

        Your second paragraph makes me wonder whether I was mistaken to enjoy your irony, in the first.

        I haven't seen the user transaction for opening an Exe in a Windows emulator under Mac OS, but I'd guess there's an opportunity to realise what you're doing and cancel.

        Regardless, what appears to be being suggested is a Windows Exe which, running within the emulator, is able to install a key-logger on the host Mac OS. This would be similar to a virus breaking out of your test lab. VM to infect its host system. Probably not impossible but quite far into the impressive end of attack crafting.

        Reply
  2. Gavin says:
    September 24, 2012 at 4:17 pm

    I wonder if it's time for Microsoft (or some third party who can program a lot better than I) to build in a warning whenever a file has two extensions, each of which are three characters, and the last of which is executable.

    Knowledgeable people are not normally hoodwinked by it (though anyone can be caught off-guard), but it's too much to expect that all users need to know how extensions work, how one can be hidden and not the other, and so on.

    This isn't exactly Microsoft's problem (I'm laying no blame here), but I do see an opportunity for them to improve security by turning the file name red or having a pop-up warning when such a file is double-clicked (obviously with a "Don't show this again" check box too).

    — Gavin

    Reply
    • Deonast says:
      September 24, 2012 at 11:31 pm

      Doesn't help though that say in windows 7 for example by default the file extension is hidden in windows explorer. So it would be easy for users to see .jpg and not the .exe after and not think twice. I really think this dumbing down of the user experience is bad for security.

      Reply
  3. Marc says:
    September 25, 2012 at 4:57 am

    Speaking as someone on a pension who has to survive on a low income, I find it hard to feel any sympathy for anyone who has that kind of money to waste on gambling and is then stupid enough to click on things they shouldn't. 'So sad, too bad' is my feelings on the matter.

    Reply
  4. Dngr66 says:
    September 26, 2012 at 6:43 am

    That's pretty crazy. I don't know why he would keep that kinda money on any online site.
    But the thing sounds kinda fishy. He probably wanted to do some high stakes betting, so he "sent" it to a fake account and this was his backup plan.

    Reply
  5. HollyToft says:
    October 7, 2013 at 9:17 pm

    I would advise anyone who does regular financial transactions online to educate themselves to the world of online hacking, scams and such.
    And to remember that gambling is an extension of the Art of War… and he got taken down in a black op.
    Knowledge is power as they say.

    Reply

Leave a Reply Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. ( Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. ( Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. ( Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. ( Log Out /  Change )

w
Cancel

Connecting to %s

Recommended reads

Oct08
by Graham Cluley
26

Skype worm spreads, using LOL trick to infect unwary users

Apr05
by Lisa Vaas
17

Facebook logins aren’t being properly protected on iPhones, iPads and Android devices

Oct03
by Graham Cluley
59

History of Mac malware: 1982 – 2011

Jun02
by Graham Cluley
49

How to stop your Gmail account being hacked

Mar23
by Carole Theriault
15

Two years in jail for Zynga poker hacker

Feb03
by Graham Cluley
6

Hacker admits stealing Zynga poker chips worth $12 million

SOPHOS

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal

Network Protection

  • XG Firewall
  • UTM
  • Secure Wi-Fi
  • Secure Web Gateway
  • Secure Email Gateway

Enduser Protection

  • Enduser Protection Bundles
  • Endpoint Antivirus
  • Sophos Cloud
  • Mobile Control
  • SafeGuard Encryption
  • Learn More

Server Protection

  • Virtualization Security
  • Server Security
  • SharePoint Security
  • Network Storage Antivirus
  • PureMessage
  • Twitter
  • Facebook
  • Google+
  • LinkedIn
  • Feed
© 1997 - 2018 Sophos Ltd. All rights reserved. Powered by WordPress.com VIP
Cancel